Over the last several years, Congress and Defense officials have made increasing investments in “cyber ranges” so that the military’s cyber teams can conduct exercises to help them prepare for actual attacks by sophisticated adversaries.
But at least so far, those ranges have their limitations. By design, they’re isolated from operational networks, and look a lot more like sterile data centers than modern battlefields. Consequently, they can’t show cyber defenders (or attackers) how the actions they take on their keyboards interact with the real world.
Insight by the Anomali: Justice Department, DODIN, DHS and IT-ISAC explore cyber threat intelligence in this free webinar.
That’s starting to change. The Army, with help from the SANS Institute, is beginning to conduct its cyber exercises in a physical training space that closely resembles a fully-functioning city. In a training scenario set to begin next week, soldiers from the service’s Cyber Protection Brigade will try to defend a deep water port from foreign hackers who’ve infiltrated systems that control cranes and other industrial machinery in the physical world.
That’s only possible because the 400-acre Muscatatuck Urban Training Complex, in southeastern Indiana, actually has a port — at least a small-scale one. It also has a functioning power grid, complete with all of the programmable logic controllers one might find in a real-world system, a subway station, a water treatment plant, and many other features of modern urban life a foreign power might target in an actual cyber attack.
“The idea here is we need to have a very well trained military, and we’re putting them in situations where cyber and kinetic touch,” Ed Skoudis, SANS’ director for cyber ranges said in an interview for Federal News Radio’s On DoD. “The best way to prepare for that is to actually engage in training in a life-size mission environment where you have boots-on-the-ground soldiers interacting directly with people with their fingers on keyboard, trying to achieve mission objectives.”
Built nearly a century ago as a state mental institution (the “Indiana Farm Colony for Feeble-Minded Youth”), Muscatatuck eventually came into the possession of the Indiana National Guard. Since then, the Army has constructed more and more features so that it resembles a modern city, and operates like one.
It is the largest urban training environment in the entire U.S. military, but until two years ago, no one had thought about its applications for training cyber teams. Since then, it’s been repurposed into a cyber training ground the Army and SANS refer to as “Cybertropolis.”
In one of the proof-of-concept events that helped lay the foundation for next week’s port exercise, soldiers were tasked with defending a prison from a cyber attacker who’d made their way into the systems that controlled the locking mechanisms on cells and other physical systems. In that event, the defenders were Army cyber protection team members, with SANS experts playing the “red team” attacker role.
“We run a lot of these scenarios where it’s just the fingers on keyboard piece, and you learn a lot from that. But until you go up to full-scale, you can’t really appreciate how all of this stuff really comes together,” Skoudis said. “In the prison scenario, we didn’t anticipate how quickly the cyber protection team would deploy soldiers. They went early, and they did a complete inventory looking for everything that the bad guys might have inside that environment. We didn’t anticipate that, and it served them very well in being able to counter the actions of our attacker team. So when you actually get into the environments themselves, you can see decisions get made about how you’re going to deploy people — what they’re going to be looking for — that you just can’t do in a mockup. And that’s really vital.”
For the upcoming port exercise, Army officials have asked SANS to make the scenario as realistic as possible. That means the cyber teams who will try to defend the port will arrive by helicopter, and bring all of their gear with them. If they accidentally leave a piece of vital networking equipment behind, they’ll have to live without it.
So far, the cyber-focused training events are happening one at a time. But considering the infrastructure the Army has already built at Muscatatuck, there’s no good reason the Army could not use it for multiple scenarios at once.
“That’s what we’ve been talking about since day one, is to have two or three or five different exercises happening simultaneously, and then you can rotate the soldiers in between them,” Skoudis said. “They might do this one for a day or to learn a whole bunch of stuff and rotate then rotate to the next one. The idea there is they can get a lot more training benefit for one set of travel, as opposed to having to go just for a couple of days and then again for another couple of days. It’s about how to do it more efficiently.”
Depending on how well the concept works, it’s conceivable that the idea could be expanded to other military training facilities. But that might prove difficult. DoD owns and operates many other training environments that are designed to look like cities, such as the National Training Center at Fort Irwin, California, but they’re not wired in the way that Muscatatuck is.
“A lot of the urban training centers are mock ups. They’re not much more than cinder blocks and roofs,” said John Nix, a retired Army officer who leads SANS’ federal government division. “They tend to be large open desert areas where maneuver elements can move around with their heavy equipment. But if you talk to folks in DoD, urban environments are becoming more and more the focus of training the future force. We, as a nation, believe that the future battles will be in a densely populated urban areas that will have a huge component of cyber and electronic warfare on top of that. So in that regard, Muscatatuck is unique in what it brings to the table.”
Army leaders appear to agree. The facility’s cyber exercises have attracted visits from several high-level officials in recent months, not just from Army Cyber Command, but from the secretary of the Army himself.
“There will always be that need to have heavy armored forces and infantry soldiers to do what they need to do, but now that we are fighting in multi-domain operations, we need to have the ability to fight by air, ground, sea, space and cyberspace,” Army Secretary Mark Esper said during a July trip. “I was very impressed by what I saw, not just with cyber but will all the capabilities and challenges presented here at this training range and what it could mean for a wide range of Army forces.”
Along those lines, the Army and SANS are also working on plans for future exercises that would not only construct cyber-specific scenarios, but also layer cyber effects on top of the more-traditional training exercises the Army has been conducting at Muscatatuck for years.
“The way things are going, every military mission — even the purely kinetic ones — will have a cyber component,” Skoudis said. “That’s because all of your equipment, all of your munitions, everything is networked together. And if you cannot maintain control of your computer systems, you really can’t maintain control of your fighting forces. So you have a defensive component for every kinetic military mission, but it goes further: you also have an option of an offensive cyber component for every kinetic military mission … so we do want to gradually transition what we’re doing into more general-purpose military missions.”